[API] Retrieving SBOM per commit with repos/OWNER/REPO/dependency-graph/sbom ?

[ubiratansoares]

Select Topic Area

Question

Body

Hi everyone, hope this is the right place to bring this question, I tried to find related questions/feedback about but I could not find, apologies if I did not search enough 🙈

Right we have an endpoint to retrieve the SBOM attached to the Dependency Graph of a repository.

After some tests, I concluded that such SBOM relates to head commit in the main branch (the commit hash is part of the exported file name). It would be nice, however, if we could retrieve the SBOM for any other commit hash, so we could go back in the history of SBOMs. Is that possible nowadays?

The value proposition here is being able to track which versions of software components we ship directly to end customers (eg, CLI tools, Desktop apps, Mobile apps, etc) are affected by critical vulnerabilities, helping Engineers to prioritize things like security fixes, forced updates, etc.

Thanks in advance!

[github-actions[bot]]

🕒 Discussion Activity Reminder 🕒

This Discussion has been labeled as dormant by an automated system for having no activity in the last 60 days. Please consider one the following actions:

1️⃣ Close as Out of Date: If the topic is no longer relevant, close the Discussion as out of date at the bottom of the page.

2️⃣ Provide More Information: Share additional details or context — or let the community know if you've found a solution on your own.

3️⃣ Mark a Reply as Answer: If your question has been answered by a reply, mark the most helpful reply as the solution.

Note: This dormant notification will only apply to Discussions with the Question label. To learn more, see our recent announcement.

Thank you for helping bring this Discussion to a resolution! 💬